Decode JWT Token

When to use

Use this policy when you want to verify the claims in JWT token before verifying the signature.

Details

The JWT Decode policy decodes a JWT (JSON Web Token) without verifying its signature. This functionality is particularly valuable when used alongside the VerifyJWT policy, where the value of a specific claim within the JWT needs to be known before validating the JWT's signature.

The JWT Decode policy is capable of decoding JWTs regardless of the signature algorithm used. It extracts the information and data within the token, making it accessible for further processing within the API proxy.

It is recommended to refer to the JWS (JSON Web Signature) and JWT policies overview for a comprehensive introduction to these policies and their functionalities.

Configuration

The configuration fields for the policy are:

[* Indicates a mandatory field]

Name *: Display name of the policy

Description: Description of policy

Enabled: Flag to indicate if the policy is enabled. If this field is not checked, the policy will be ignored at runtime and any fields from its output will contain a default initial value

Continue on Error: Flag to indicate that the flow should continue even if this policy throws an error

Algorithm: Specifies the algorithm to be used for token signature

Input fields

jwtToken: The token to be decoded

Output fields

audience: Value of the field ‘audience’ if it is present in the token

expiry: Value of the field ‘expiry’ time

issuedAt: Value of time when the token was issued

issuer: Value of ‘issuer’

subject: Value of ‘subject’

isExpired: Boolean true if the token is expired, otherwise returns false

timeRemaining: Remaining time if the token is not expired

claims: a collection of objects containing name and value of claims

algorithm: algorithm used to sign the token